<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Add nodes to your cluster | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'encrypting-communications-hosts.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/encrypting-communications-hosts.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/encrypting-communications-hosts.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/encrypting-communications-hosts.html" rel="nofollow" target="_blank">../en/encrypting-communications-hosts.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="encrypting-internode-communications.html">Tutorial: Encrypting communications</a></span>
»
<span class="breadcrumb-node">Add nodes to your cluster</span>
</div>
<div class="navheader">
<span class="prev">
<a href="encrypting-internode.html">« Encrypt internode communications</a>
</span>
<span class="next">
<a href="security-troubleshooting.html">Troubleshooting security »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="encrypting-communications-hosts"></a>Add nodes to your cluster<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>You can add more nodes to your cluster and optionally designate specific
purposes for each node. For example, you can allocate master nodes, data nodes,
ingest nodes, machine learning nodes, and dedicated coordinating nodes. For
details about each node type, see <a href="modules-node.html" class="ulink" target="_top">Nodes</a>.</p>
<p>Let’s add two nodes to our cluster!</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Install two additional copies of Elasticsearch. It’s possible to run multiple Elasticsearch
nodes using a shared installation. In this tutorial, however, we’re keeping
things simple by using the <code class="literal">zip</code> or <code class="literal">tar.gz</code> packages and by putting each copy
in a separate folder. You can simply repeat the steps that you used to install
Elasticsearch in the
<a href="https://www.elastic.co/guide/en/elastic-stack-get-started/7.7/get-started-elastic-stack.html#install-elasticsearch" class="ulink" target="_top">Getting started with the Elastic Stack</a>
tutorial.
</li>
<li class="listitem">
<p>Generate certificates for the two new nodes.</p>
<p>For example, run the following command:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">./bin/elasticsearch-certutil cert \
--ca elastic-stack-ca.p12 \ <a id="CO501-1"></a><i class="conum" data-value="1"></i>
--multiple</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO501-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>Use the certificate authority that you created in <a class="xref" href="encrypting-communications-certificates.html" title="Generate certificates">Generate certificates</a>.</p>
</td>
</tr>
</table>
</div>
<p>You are prompted for information about each new node. Specify <code class="literal">node-2</code> and
<code class="literal">node-3</code> for the instance names. For the purposes of this tutorial, specify the
same IP address (<code class="literal">127.0.0.1,::1</code>) and DNS name (<code class="literal">localhost</code>) for each node.</p>
<p>You are prompted to enter the password for your CA. You are also prompted to
create a password for each certificate.</p>
<p>By default, the command produces a zip file named <code class="literal">certificate-bundle.zip</code>,
which contains the generated certificates and keys.</p>
</li>
<li class="listitem">
<p>Decompress the <code class="literal">certificate-bundle.zip</code> file. For example:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">unzip certificate-bundle.zip

Archive:  certificate-bundle.zip
   creating: node-2/
  inflating: node-2/node-2.p12
   creating: node-3/
  inflating: node-3/node-3.p12</pre>
</div>
<p>The <code class="literal">certificate-bundle.zip</code> file contains a folder for each of your nodes. Each
folder contains a single PKCS#12 keystore that includes a node certificate,
node key, and CA certificate.</p>
</li>
<li class="listitem">
Create a folder to contain certificates in the configuration directory of each
Elasticsearch node. For example, create a <code class="literal">certs</code> folder in the <code class="literal">config</code> directory.
</li>
<li class="listitem">
Copy the appropriate certificate to the configuration directory on each node.
For example, copy the <code class="literal">node-2.p12</code> file into the <code class="literal">config/certs</code> directory on the
second node and the <code class="literal">node-3.p12</code> into the <code class="literal">config/certs</code> directory on the third
node.
</li>
<li class="listitem">
<p>Specify the name of the cluster and give each node a unique name.</p>
<p>For example, add the following settings to the <code class="literal">ES_PATH_CONF/elasticsearch.yml</code>
file on the second node:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">cluster.name: test-cluster
node.name: node-2</pre>
</div>
<p>Add the following settings to the <code class="literal">ES_PATH_CONF/elasticsearch.yml</code>
file on the third node:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">cluster.name: test-cluster
node.name: node-3</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>In order to join the same cluster as the first node, they must share the
same <code class="literal">cluster.name</code> value.</p>
</div>
</div>
</li>
<li class="listitem">
<p>(Optional) Provide seed addresses to help your nodes discover other nodes with
which to form a cluster.</p>
<p>For example, add the following setting in the <code class="literal">ES_PATH_CONF/elasticsearch.yml</code>
file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">discovery.seed_hosts: ["localhost"]</pre>
</div>
<p>The default value for this setting is <code class="literal">127.0.0.1, [::1]</code>, therefore it isn’t
actually required in this tutorial. When you want to form a cluster with nodes
on other hosts, however, you must use this setting to provide a list of
master-eligible nodes to seed the discovery process. For more information, see
<a href="modules-discovery-hosts-providers.html" class="ulink" target="_top">Discovery</a>.</p>
</li>
<li class="listitem">
<p>On each node, enable TLS for transport communications. You must also configure
each node to identify itself using its signed certificate.</p>
<p>For example, add the following settings in the <code class="literal">ES_PATH_CONF/elasticsearch.yml</code>
file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/${node.name}.p12 <a id="CO502-1"></a><i class="conum" data-value="1"></i>
xpack.security.transport.ssl.truststore.path: certs/${node.name}.p12</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO502-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>If the file name for your certificate does not match the <code class="literal">node.name</code> value,
you must put the appropriate file name in the <code class="literal">elasticsearch.yml</code> file.</p>
</td>
</tr>
</table>
</div>
</li>
<li class="listitem">
<p>On each node, store the password for the PKCS#12 file in the Elasticsearch keystore.</p>
<p>For example, run the following commands:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">./bin/elasticsearch-keystore create <a id="CO503-1"></a><i class="conum" data-value="1"></i>
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO503-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>If the Elasticsearch keystore already exists, this command asks whether you want to
overwrite it. You do not need to overwrite it; you can simply add settings to
your existing Elasticsearch keystore.</p>
</td>
</tr>
</table>
</div>
<p>On the second node, supply the password that you created for the <code class="literal">node-2.p12</code>
file. On the third node, supply the password that you created for the
<code class="literal">node-3.p12</code> file.</p>
</li>
<li class="listitem">
<p>Start each Elasticsearch node. For example, if you installed Elasticsearch with a <code class="literal">.tar.gz</code>
package, run the following command from each Elasticsearch directory:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">./bin/elasticsearch</pre>
</div>
<p>See <a href="starting-elasticsearch.html" class="ulink" target="_top">Starting Elasticsearch</a>.</p>
<p>If you encounter errors, you can see some common problems and solutions in
<a class="xref" href="trb-security-ssl.html" title="Common SSL/TLS exceptions">Common SSL/TLS exceptions</a>.</p>
</li>
<li class="listitem">
<p>Verify that your cluster now contains three nodes.</p>
<p>For example, log into Kibana with the <code class="literal">elastic</code> built-in user. Go to
<span class="strong strong"><strong>Dev Tools &gt; Console</strong></span> and run the <a href="cluster-health.html" class="ulink" target="_top">cluster health API</a>:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET _cluster/health</pre>
</div>
<div class="console_widget" data-snippet="snippets/1270.console"></div>
<p>Confirm the <code class="literal">number_of_nodes</code> in the response from this API.</p>
<p>You can also use the <a href="cat-nodes.html" class="ulink" target="_top">cat nodes API</a> to identify the master
node:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET _cat/nodes?v</pre>
</div>
<div class="console_widget" data-snippet="snippets/1271.console"></div>
<p>The node that has an asterisk(*) in the <code class="literal">master</code> column is the elected master
node.</p>
</li>
</ol>
</div>
<p>Now that you have multiple nodes, your data can be distributed across the
cluster in multiple primary and replica shards. For more information about the
concepts of clusters, nodes, and shards, see
<a href="getting-started.html" class="ulink" target="_top">开始使用 Elasticsearch</a>.</p>
<h3>
<a id="encrypting-internode-nextsteps"></a>What’s next?<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc">edit</a>
</h3>
<p>Congratulations! You’ve encrypted communications between the nodes in your
cluster and can pass the
<a href="bootstrap-checks-xpack.html#bootstrap-checks-tls" class="ulink" target="_top">TLS bootstrap check</a>.</p>
<p>If you want to encrypt communications between other products in the Elastic Stack, see
<a class="xref" href="encrypting-communications.html" title="Encrypting communications"><em>Encrypting communications</em></a>.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="encrypting-internode.html">« Encrypt internode communications</a>
</span>
<span class="next">
<a href="security-troubleshooting.html">Troubleshooting security »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>